US7808897B1ExpiredUtility

Fast network security utilizing intrusion prevention systems

96
Assignee: IBMPriority: Mar 1, 2005Filed: Mar 1, 2006Granted: Oct 5, 2010
Est. expiryMar 1, 2025(expired)· nominal 20-yr term from priority
H04L 43/00H04L 63/0209H04L 63/1408
96
PatentIndex Score
205
Cited by
28
References
32
Claims

Abstract

Intrusion Prevention Systems (“IPSs”) are used to detect and/or prevent intrusion events from infiltrating a computer network. However, in large computer networks the IPSs cannot conduct their analysis on network data traffic quickly enough in the network core to meet the demand placed on them by the computer networks, thereby causing delays in the transmission of network data traffic from a source to a destination. To prevent this delay, the IPSs can be configured to intelligently communicate with a high-capacity network switch. The IPSs conduct the initial inspection of the network data traffic flows to determine if an intrusion event is present. However, after the initial inspection, the IPS can inform the switch of what actions to take for future traffic flows including determining which future traffic flows are inspected by the IPSs and which future traffic flows are allowed to be blocked or transmitted to their destination by the switch.

Claims

exact text as granted — not AI-modified
1. A computer-implemented method for providing intrusion protection for a unique packet flow of network data traffic, comprising the steps of:
 receiving at a switch a first portion of the unique packet flow; transmitting a congestion message to an intrusion prevention system in response to a table of packet flow information on the switch approaching its maximum capacity and transmitting a list of one or more packet flows to the intrusion prevention system that can be deleted from the table; 
 determining at the switch whether a second portion of the unique packet flow has previously been received at the switch; 
 in response to determining that the second portion of the unique packet flow has not been received at the switch, analyzing the first portion of the unique packet flow at the intrusion prevention system; and 
 in response to determining that the second portion of the unique packet flow has been received at the switch, checking a value of a single status field corresponding to the unique packet flow, and based on the value, performing one of:
 blocking the first portion of the unique packet flow at the switch without communicating information relating to the unique packet flow to a security device; and 
 transmitting the first portion of the unique packet flow from the switch to its intended destination without communicating information relating to the unique packet flow to the security device. 
 
 
     
     
       2. The method of  claim 1 , wherein the step of determining whether the second portion of the unique packet flow has previously been received at the switch further comprises the step of comparing packet flow information relating to the first portion of the unique packet flow to a plurality of packet flow information entries in a table corresponding to a plurality of previously received packet flows. 
     
     
       3. The method of  claim 2 , wherein the step of comparing the packet flow information further comprises determining whether a source IP address, a destination IP address, a source port, a destination port, a layer-4 protocol, and a VLAN tag for the first portion of the unique packet flow matches a source IP address, a destination IP address, a source port, a destination port, a layer-4 protocol, and a VLAN tag for one of the plurality of packet flow information entries in the table corresponding to one of the plurality of previously received packet flows. 
     
     
       4. The method of  claim 1 , further comprising a plurality of intrusion prevention systems, wherein the step of analyzing the first portion of the unique packet flow at an intrusion prevention system in response to determining that the second portion of the unique packet flow has not been received at the switch, further comprises the steps of:
 assigning the unique packet flow to one of the plurality of intrusion prevention systems; 
 assigning a packet flow number to the unique packet flow; 
 gathering packet flow information for the first portion of the unique packet flow; 
 determining whether the first portion of the unique packet flow contains a security violation; and 
 assigning a status value to the unique packet flow. 
 
     
     
       5. The method of  claim 4 , further comprising the steps of:
 assigning an interest priority value for the unique packet flow; and 
 assigning a global interest priority value at the switch. 
 
     
     
       6. The method of  claim 4 , wherein the step of assigning the unique packet flow to one of the plurality of intrusion prevention systems, further comprises the steps of:
 creating a hash value for the unique packet flow from the packet flow information; 
 dividing the hash value for the unique packet flow by a number equal to the quantity of intrusion preventions systems that are available to analyze the unique packet flow; and 
 assigning the unique packet flow with the switch to the intrusion prevention system associated with a remainder value resulting from the step of dividing the hash value. 
 
     
     
       7. The method of  claim 1 , further comprising the steps of:
 transmitting a flow qualification message relating to the unique packet flow from the intrusion prevention system to a table on the switch; 
 transmitting the first portion of the unique packet flow from the intrusion prevention system to the switch; and 
 performing an action on the first portion of the unique packet flow at the switch. 
 
     
     
       8. The method of  claim 7 , wherein the step of performing an action on the first portion of the unique packet flow, further comprises one of:
 blocking the first portion of the unique packet flow at the switch, and 
 transmitting the first portion of the unique packet flow from the switch to its intended destination. 
 
     
     
       9. The method of  claim 1 , wherein the step of in response to determining that the second portion of the unique packet flow has been received at the switch, further comprises the option of:
 analyzing the first portion of the unique packet flow at the intrusion prevention system. 
 
     
     
       10. The method of  claim 9 , wherein the step of analyzing the first portion of the unique packet flow at the intrusion prevention system in response to determining that the second portion of the unique packet flow has been received at the switch, further comprises the steps of:
 determining whether the first portion of the unique packet flow contains a security violation; and 
 assigning a status value to the unique packet flow. 
 
     
     
       11. The method of  claim 10 , further comprising the steps of:
 assigning an interest priority value for the unique packet flow; and 
 assigning a global priority value at the switch. 
 
     
     
       12. The method of  claim 10 , further comprising the steps of:
 transmitting a flow qualification message relating to the unique packet flow from the intrusion prevention system to a table on the switch; 
 transmitting the first portion of the unique packet flow from the intrusion prevention system to the switch; and 
 performing one of:
 blocking the first portion of the unique packet flow at the switch; and 
 transmitting the first portion of the unique packet flow from the switch to its intended destination. 
 
 
     
     
       13. The method of  claim 1 , further comprising the steps of:
 determining which of the one or more packet flows to delete from the table on the switch based on the list of one or more packet flows received from the switch; 
 transmitting a reset message to a source address and a destination address of the one or more packet flows that the intrusion prevention system has determined to delete; and 
 transmitting an instruction message to the switch identifying which of the one or more packet flows to delete from the table. 
 
     
     
       14. The method of  claim 1 , further comprising the steps of:
 monitoring a current capacity of the intrusion prevention system for analyzing traffic flows; and 
 adjusting a global priority value in response to the current capacity reaching a particular threshold. 
 
     
     
       15. A system for providing intrusion protection for a unique packet flow of network data traffic, comprising:
 a switch operative to:
 receive a first portion of the unique packet flow and determine whether a second portion of the unique packet flow has previously been received; transmit a congestion message to an intrusion prevention system in response to a table of packet flow information on the switch approaching its maximum capacity and transmit a list of one or more packet flows to the intrusion prevention system that can be deleted from the table; and 
 in response to determining that the second portion of the unique packet flow has been received at the switch, check a value of a single status field corresponding to the unique packet flow, and based on the value, perform one of:
 block the first portion of the unique packet flow at the switch without communicating information relating to the unique packet flow to a security device; and 
 transmit the first portion of the unique packet flow from the switch to its intended destination without communicating information relating to the unique packet flow to the security device; and 
 
 
 one or more intrusion prevention systems operative to analyze the first portion of the unique packet flow in response to a determination that the second portion of the unique packet flow has not been previously received at the switch. 
 
     
     
       16. The system of  claim 15 , wherein the switch is further operative to determine whether a second portion of the unique packet flow has previously been received by comparing packet flow information relating to the first portion of the unique packet flow to a plurality of packet flow information entries in a table corresponding to a plurality of previously received packet flows. 
     
     
       17. The system of  claim 16 , wherein the switch is further operative to compare the packet flow information by determining whether a source IP address, a destination IP address, a source port, a destination port, a layer-4 protocol, and a VLAN tag for the first portion of the unique packet flow matches a source IP address, a destination IP address, a source port, a destination port, a layer-4 protocol, and a VLAN tag for one of the plurality of packet flow information entries in the table corresponding to one of the plurality of previously received packet flows. 
     
     
       18. The system of  claim 15 , wherein the switch is further operative to assign the unique packet flow to one of the intrusion prevention systems. 
     
     
       19. The system of  claim 18  wherein the switch is further operative to assigning the unique packet flow to one of the plurality of intrusion prevention systems by:
 creating a hash value for the unique packet flow from the packet flow information; 
 dividing the hash value for the unique packet flow by a number equal to the quantity of intrusion preventions systems that are available to analyze the unique packet flow; and 
 assigning the unique packet flow to one of the plurality of intrusion prevention systems associated with the remainder value from the step of dividing the hash value. 
 
     
     
       20. The system of  claim 15 , wherein the one or more intrusion prevention systems are further operative to analyze the first portion of the unique packet flow in response to determining that the second portion of the unique packet flow has not been received at the switch by:
 assigning a packet flow number to the unique packet flow; 
 gathering packet flow information for the first portion of the unique packet flow; 
 determining whether the first portion of the unique packet flow contains a security violation; and 
 assigning a status value to the unique packet flow. 
 
     
     
       21. The system of  claim 20 , wherein the intrusion prevention system is further operative to:
 assign an interest priority value for the unique packet flow; and 
 assign a global priority value at the switch. 
 
     
     
       22. The system of  claim 15 , wherein the intrusion prevention system is further operative to:
 transmit a flow qualification message relating to the unique packet flow to a table on the switch; and 
 transmit the first portion of the unique packet flow to the switch. 
 
     
     
       23. The system of  claim 15 , wherein the switch is further operative to perform an action on the first portion of the unique packet flow. 
     
     
       24. The system of  claim 23 , wherein the switch is further operative to perform an action on the first portion of the unique packet flow by:
 blocking the first portion of the unique packet flow, and 
 transmitting the first portion of the unique packet flow to its intended destination. 
 
     
     
       25. The system of  claim 15 , wherein in response to a determination that the second portion of the unique packet flow has been previously received at the switch, the switch is further operative to:
 transmit the first portion of the unique packet flow to the intrusion prevention system for analysis. 
 
     
     
       26. The system of  claim 25 , wherein the intrusion prevention system is further operative to analyze the first portion of the unique packet flow in response to the determination that the second portion of the unique packet flow has been previously received at the switch by:
 determining whether the first portion of the unique packet flow contains a security violation; and 
 assigning a status value to the unique packet flow. 
 
     
     
       27. The system of  claim 26 , wherein the intrusion prevention system is further operative to:
 assign an interest priority value for the unique packet flow; and 
 assign a global priority value at the switch. 
 
     
     
       28. The system of  claim 26 , wherein the intrusion prevention system is further operative to:
 transmit a flow qualification message relating to the unique packet flow to a table on the switch; and 
 transmit the first portion of the unique packet flow to the switch. 
 
     
     
       29. The system of  claim 26 , wherein the switch is further operative to perform one of:
 blocking the first portion of the unique packet flow; and 
 transmitting the first portion of the unique packet flow to its intended destination. 
 
     
     
       30. The system of  claim 15 , wherein the intrusion prevention system is operative to:
 determine which of the one or more packet flows to delete from the table on the switch based on the list of one or more packet flows received from the switch; 
 transmit a reset message to a source address and a destination address of the one or more packet flows that the intrusion prevention system has determined to delete; and 
 transmit an instruction message to the switch identifying which of the one or more packet flows to delete from the table. 
 
     
     
       31. The system of  claim 15 , wherein the intrusion prevention system is further operative to:
 monitor its current capacity for analyzing traffic flows; 
 adjust a global priority value in response to the current capacity reaching a particular threshold; and 
 transmit the global priority value to the switch. 
 
     
     
       32. The system of  claim 15 , wherein the switch is further operative to:
 monitor a traffic flow ratio of the intrusion prevention system; and 
 adjust a global priority value in response to the traffic flow ratio of the intrusion prevention system reaching a particular threshold.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.